Re: IPS signatures to prevent qualys VA

k.abillama · ‎09-20-2010

Hi Guys,

DO you have any idea what are the signatures to be enabled to prevent qualys from successfully scanning my internal assets

I have an AIP-SSM module on an 5510 ASA firewall

Regards

Scott Fringer · ‎09-22-2010

This would depend on the specific vulnerabilities that Qualys is attempting to detect; but there are not any Qualys-specific signatures present in the Cisco IPS sensor.

The most direct method would be to determine the source IP address of the Qualys scanning systems, and deny those addresses with the ASA.

Scott

k.abillama · ‎09-22-2010

Hi Scott,

The signatures that are firing on the IPS are 6005 and 3010 and they are indicating that they are blocking traffic but still Qualys is able to scan an generate a report indicating server vulnerabilities

I know I can block it from the ASA but that is not the purpose, the customer needs to block qualys scans via the IPS signatures, please advise

Regards

Scott Fringer · ‎09-22-2010

By default neither signature 3010/0 or 6005/0 deny traffic; though you indicate that both signature events indicate they are blocking traffic.

What is the exact action that is reported as being taken?
What mode of operation is the AIP-SSM configured to use?

These details will be critical in knowing whether the IPS is reacting correctly.

Scott

k.abillama · ‎09-23-2010

Hello,

I fine tuned these signatures to deny traffic and they are doing well; however qualys is still able to generate a report and find vulnerabilities.

The AIP-SSM is configured in inline mode

Regards

Scott Fringer · ‎09-23-2010

What deny action have you assigned to the signatures? If you did not assign the 'Deny Attacker Inline' action, only the traffic specific to the tuned signatures will be denied - any traffic not matched by those signatures will not be denied. Are the vulnerabilities being found the same as detected by signatures 3010/0 (TCP High Port Sweep) and 6005/0 (Unencrypted SSL Traffic)?

It is also possible that Qualys is using more than one host for scanning, and the other hosts are not being detected and denied and in turn can determine existing vulnerabilities.

Again, to afford a more guaranteed protection from a known source, implementing a complete block on the ASA would be the preferred method.

Scott

k.abillama · ‎10-21-2010

Hi Scott,

The customer was claiming that his old 4235 IPS he used was actually stopping the qualys scan. Indeed he replaced his AIP-SSM running the latest software with the 4235 IPS running version 5 and we found out that signature 1312( TCP MSS below minimum) was firing whereas on the AIP-SSM it's not although it is enabled and not retired.

This had an impact on the qualys scan for whihc the 4235 was more effective, any ideas why this is happening

Regards

Scott Fringer · ‎10-22-2010

It is possible that the TCP normalization process on the ASA is correcting the MSS issue. This normalization occurs prior to the packet being forwarded to the AIP-SSM for inspection; therefore the traffic does not match signature 1312/0 and it will not fire.

Scott

k.abillama · ‎10-22-2010

Hi Scott,

What should be done in this case?

Regards